Month: March 2013

So more recently I have started to make use of Cloud based systems, VPN’s, Web Services / Servers etc. One of the things I have wanted to build for a while is a portable Router / WiFi hub that can support a VPN connection.

There has recently been a lot of published warnings about people being exposed while surfing the internet at cafes or other public WiFi hot spots.

The idea of this project is to make use of a Raspberry PI, a second Ethernet Dongle, a Wifi Dongle and a VPN connection. One of the Raspberry Pi’s Ethernet sockets plugs into the public internet while the other (and soon to come WiFi Access Point) acts as its own private network, tunneling all data to the internet via a VPN connection.

Below are some of my notes about how I have build a Raspberry PI, VPN secured Router:

Raspberry Pi VPN Router Config

eth0 (on the PI) connected to the internal network
eth1 (USB to Ethernet) connected to the internet / network
tun0 The VPN Tunnel created when the PI connects to the VPN server
wlan0 (Usb to Wifi) Not Configured

Start with a NEW blank image of Raspberry ArmHF from http://www.raspberrypi.org/downloads

The first thing you should do is run:

sudo apt-get update && sudo apt-get install ca-certificates

which will update and upgrade your PI’s base image and also install certificates information

Once all the updates and installs have taken place we need to reboot the pi:

Sudo shutdown now -r

From here we need to configure all the network interfaces 1st
Then configure the VPN, test the vpn, and then install all the packages to make the Pi into a VPN’ed Router

To configure the network interfaces we need to edit the following file:

/etc/network/interfaces to do this we will use nano:

sudo nano /etc/network/interfaces

To keep things flexible and easy to manage we will want the INTERNET facing ethernet socket to be a DHCP Client, remember this is the USB to Ethernet port (eth1). We want the INTERNAL facing Ethernet socket (On the Pi, eth0) to be static and issue out IP addresses to connected computers. When the VPN connection goes live we will link the Eth0 to Tun0 so that all data traffic from Eth0 goes via the VPN connection.

Inside /etc/network/interfaces we need to add the following (removing the old data):

This sets the reference IP range from 192.168.50.10 to 192.168.50.250 – more than enough for a small local network.
The networks domain is called ‘local’ you can also change this to anything you want ie home

Ive also appended the DNS Settings for Google’s Domain servers to this note, this means any DNS lookups perfomed by the PI will resolve against Google and not your ISP. If your using a custom DNS Server this is the place to change the information to reflect this.

Now Save the file and exit.

You can reboot the DHCP Service by typing in:

sudo /etc/init.d/isc-dhcp-server restart

You should recieve two OK messages.

If you have more than one device connected to your (new) internal network you should be able to ping them by typing in:

Ping 192.168.50. 55 (assuming your ping’ing device has an IP of 192.168.50.55) but it wont allow you to connect out to the wider world just yet.

Now we need to edit the IP Tables of the PI, to allow the forwarding of traffic from the VPN gateway into the internal network.

To do this type:

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

which will allow the forwarding of IPV4 IP traffic, we also need to edit:

sudo nano /etc/sysctl.conf

and uncomment out (remove the #) around the line:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Save the file and exit.

Now we need to edit the IP Tables rules to allow for traffic. Type in:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Unfortunately, due to the nature of IP Tables if the PI looses power, it will reset it the IP tables back, loosing all your settings (not handy if you plan on moving the PI about) so we need to now backup and save your new settings.
This is done by saving your IP Tables as a rule file:

sudo iptables-save > /etc/iptables.up.rules

You can call the saved file anything you like, but it helps to keep things organised.
Now we need to create and edit a script to load the IP Tables Rule file:

sudo nano /etc/network/if-pre-up.d/iptables

and insert:
”
#!/bin/sh
#This script restores iptables upon reboot

iptables-restore < /etc/iptables.up.rules

exit 0
”
Now we need to edit the ownership & permissions of this file so it will run on boot: